3. www.isecpartners.com
Information Security Partners (iSEC)
• iSEC Partners
– Independent security consulting and product organization
• Our Focus
– Application Security
• Java, C++ and .NET applications
• Attacking Web Services (XML, SOAP) – Alex Stamos and Scott Stender
– Network Security
• Firewalls, Routers/Switches, VPNs, and Operating Systems
– Storage Security
• NAS, iSCSI, and SANs
– Product Security
• Software Applications (home grown and commercial off-the shelf)
• Hardware Appliances (devices)
• For more information
– https://www.isecpartners.com
4. www.isecpartners.com
Introduction
• iSCSI
i = Internet Protocol
SCSI = Small Computer System Interface
iSCSI = Insecure SCSI
• What is iSCSI?
– iSCSI (Internet Small Computer Systems Interface) provides access to
block level data over traditional IP networks
– SCSI blocks have mostly been used with Fibre Channel SANs
– Unlike NAS storage devices using CIFS/NFS at the file level, SCSI blocks
work at lower levels by offering entire data stores (LUNs) to iSCSI clients
5. www.isecpartners.com
Introduction
• Block level vs. File level
– File Level: CIFS (SMB) and NFS file systems over a network connection
– Block Level: The actually drive (not the file system) over a network
– Simplistic example: A file system versus an entire hard drive
• Security and iSCSI
– Authentication – CHAP (weak)
– Authorization – Initiator Node Names (spoof-able)
– Encryption – IPSec shared secret (deployment challenges)
• Why should we care?
– A compromise of a single iSCSI device equates to the compromise of several (10 to
100) operating systems at once!
• Who cares about admin, root, or system accounts when the entire data store can
be compromised?
6. www.isecpartners.com
Introduction
• What *some* vendors say about iSCSI Security
• Implies trusting everyone (employees, vendors, business partners, guests,
contractors, consultants, wireless users, and remote VPN users) that is
connected to the internal network
Agree to…..
- Remove all file permissions from all folders in every operating system
- Allow everyone to read everyone else's email
- Remove all passwords from databases
- Allow everyone to view HR information (Soc Sec Numbers, Salaries)
- Tell the Auditors that “Internal controls are for sissies”
7. www.isecpartners.com
Introduction
• iSCSI Architecture Components
– iSCSI Initiator: An iSCSI client
– iSCSI Target: An iSCSI storage device/appliance
– iSNS (optional): iSCSI Name Services (A table that groups iSCSI
Initiators and Targets in Domain Sets for logical
segmentation
• Terms and Definitions
– iQN: Initiator Node Name (Identity value for iSCSI clients,
similar to MAC addresses)
– Domain Sets: Logical segmentation of iSCSI entities (Targets and
Initiators into separate groups)
– LUNs: Logical Unit Numbers (A logical array of storage
units. One storage entity can be divided into
multiple LUNs)
8. www.isecpartners.com
Introduction
• iSCSI Initiators
– iSCSI Clients
– Use a regular NIC (IP) with an iSCSI client driver
• iSCSI Drivers
– Microsoft
– Cisco
– IBM
– HP
• NO special hardware required
• Works over existing IP networks
iSCSI Driver
9. www.isecpartners.com
Introduction
• iSCSI Targets
– iSCSI Devices (Appliances)/Servers
– Offer large volumes of data (block level) over the IP network
• iSCSI Vendors
– Cisco
– EMC
– Network Appliance
– HP
– IBM
• Listens on TCP port 3260
iSCSI Device
12. www.isecpartners.com
OS
Introduction
• iSNS Servers (iSCSI Simple Name Services)
– Software that runs on an operating system or an iSCSI Device
– iSCSI initiators and targets register with the iSNS server
• Similar to DNS
– An iSNS server is responsible for:
• Informing iSCSI clients about which iSCSI targets are available on the network
• Grouping iSCSI clients to their correct Domain Set
• Informing iSCSI clients what security aspects (if any) they must use to
associate to targets
– Listens on port TCP 3205.
iSCSI Device
iSNS Server
13. www.isecpartners.com
Introduction
• iSNS Model
XYZ iSCSI Storage Device
iSCSI Client iSNS Server
123 iSCSI Storage Device
iSNS Registration
Available iSCSI Targets….for your Domain Set
iqn.1987-05.com.XYZ:111773
Query iSNS information
iqn.1991-05.com.microsoft:win2003
Exchange Domain
iqn.1991-05.com.microsoft:win2004-hd
iqn.1992-08.com.123:112699
Default Domain Set
iqn.1991-05.com.microsoft:win2003
iqn.1987-05.com.XYZ:111773
iSNS
Registration
iqn.1987-05.com
.XYZ:111773
15. www.isecpartners.com
Introduction
Top 5 iSCSI Security Issues
1. iQN Values are trusted
a. iQN are spoof-able, sniff-able, and can be brute-forced
2. iSCSI Authorization is the only required security entity,
which relies on iQN values
3. iSCSI Authentication is disabled by default
4. iSCSI Authentication uses CHAP
5. iSNS servers are not protected
iSCSI is a clear text protocol
17. www.isecpartners.com
iSCSI Enumeration
• Scanning iSCSI Targets (Devices)
– TCP port 3260 and 3205
– StorScan is a focused port scanner for storage devices
• iSCSI SANs and IP NAS
• Yes. Nmap is much better, but StorScan is focused (filtered)
– storscan.exe <range>
18. www.isecpartners.com
iSCSI Enumeration
• Enumeration
– iSCSI Targets (iSCSI Devices)
• Listen on TCP port 3260
– iSNS
• Listen on TCP port 3205
– iSCSI Clients
• Do not listen on a port, but can be enumerated from the iSNS server
19. www.isecpartners.com
iSCSI Enumeration
• iSNS registration
– If unique Domain Sets are not created,
each iqn will be placed in the Default
Domain Set.
– Any member of a domain set will be
able to enumerate/access the other
nodes in the same domain set
• This is why it is important to move
nodes out of the Default Domain Set
– Foo can
1. Scan for port 3205 and find a iSNS
server
2. Connect to the iSNS server
3. Enumerate the other iSCSI nodes,
which can now be used for iqn spoofing
attacks (described later)
20. www.isecpartners.com
iSCSI Enumeration
• iSNS Man-in-the-Middle
– Identify iSNS server on port 3205
– Using layer 2 ARP poisoning attacks, a fake iSNS server can
replace the real iSNS server
• The real iSNS will continue to receive iSNS information from
targets and clients, but after the fake iSNS has control of the
packets
• This allows the fake iSNS server to
– View all registrations (both targets and clients)
– Modify or change Domain Sets
– Downgrade Domain Sets that require security
(remove authentication or encryption)
23. www.isecpartners.com
iSCSI Authorization
• iSCSI
– Authorization (Required)
• Required iSCSI Security component
• Initiator Node Name
– Only unknown variable is the end string
» iqn.1991-05.com.microsoft:HOSTNAME
» iqn.1987-05.com.cisco:xxxxxx
» iqn.1992-08.com.ibm:<partition identifier>
– iQNs traverse the network in CLEAR-TEXT
» Easily sniffable, guessable, or enumerated
• An attacker can get access to large amounts of data with little effort
24. www.isecpartners.com
iSCSI Authorization
• iSCSI Authorization Attack
– Sniff iSCSI Communication
• Port 3260
• Get Initiator Node Names
– Spoof the Initiator Node Name
• Change Initiator name with iSCSI driver
– See Data
• Gain access to confidential and sensitive data
25. www.isecpartners.com
iSCSI Security
• iSCSI Attack Demo
iSCSI Storage Device
Trusted
iSCSI Client
Malicious
iSCSI Client
IP Switch
LUN 0001 LUN 0002
Trusted Client has
access to LUN 0001
iqn.1991-05.com.microsoft:win2003-hd
iqn.1991-05.com.microsoft:win2003-hd = LUN 0001
iqn.1991-05.com.microsoft:jum4nj1
Malicious client will perform
three steps to get access to
trusted data:
1. Sniff
2. Spoof
3. See Data
iqn.1991-05.com.microsoft:win2003-hd
26. www.isecpartners.com
iSCSI Security
• iSCSI Attack Demo
LUN 0005
LUN 0004
LUN 0003
LUN 0002
iSCSI Storage Device
Trusted
iSCSI Client
Malicious
iSCSI Client
IP Switch
LUN 0001
LUN 0010
LUN 0009
LUN 0008
LUN 0007
LUN 0006
Trusted Client has
access to LUN 0001,
0002, 0003, 0004, and
0005
iqn.1987-05.com.cisco:01.1e2d66bf412c
iqn.1987-05.com.cisco:01.1e2d66bf412 = LUN 0001 thru LUN 0005
iqn.1991-05.com.microsoft:win2003
Malicious client will perform
three steps to get access to
trusted data:
1. Sniff
2. Spoof
3. See Data
iqn.1987-05.com.cisco:01.1e2d66bf412c
27. www.isecpartners.com
iSNS Domain Hopping
• iSNS Domain (iGroup) Hopping
– Similar to VLAN hopping and Zone hopping (Fibre channel)
– Discovery Domains/iGroups rely on the iQN value of a node
for identification
– If a node simply spoofs the iQN value to match the iQN of
their target, the iSNS server will automatically update and
overwrite the legitimate node’s information with the
attacker’s spoofed information
• Domain/iGroup Damage:
– At a minimum, this is a Denial of Service Attack
– At a maximum, this would allow unauthorized hosts to
access targets (and their data LUNs) in restricted domains
37. www.isecpartners.com
iSCSI Authentication
• Message Reflection Attacks
– Reflection of a CHAP message challenge across multiple connections
• Overview
– An attacker (iSCSI client) would request authentication to a iSCSI target
• The client receives the CHAP ID and Challenge
– Since the attacker does not know the secret (password), it cannot formulate the correct
MD5 hash. However, the attacker can open a completely separate connection to the
target (connection number 2) and force the Target to authenticate to it
• The RFC states that any iSCSI target must response to authentication requests be default!
– The Target receives the same ID and Challenge it just sent to the client (but in a
different connection) and also knows the correct secret. The target will formulate the
correct MD5 hash and pass it back, as if it were trying to authenticate to the client
– This essentially gives the attacker (the client) the correct MD5 hash to authenticate in
the iSCSI Target in the first connection!
38. www.isecpartners.com
iSCSI Authentication
• Message Reflection
iSCSI Storage Device
iSCSI Client
(Attacker)
Auth Request
CHAP ID and Message Challenge
CHAP_I= 194
CHAP_C= e500370b
CHAP Hash
CHAP_R = c0d749fd2be1226c891e3c21d45016cd
(ID + secret +challege)MD5 = Hash (CHAP_R)
(194 + secret + e500370b) MD5 =
c0d749fd2be1226c891e3c21d45016cd
CHAP ID and Message Challenge
CHAP_I= 194
CHAP_C= e500370b
CHAP Hash
CHAP_R = c0d749fd2be1226c891e3c21d45016cd
!!!
Connection 1
Connection 2
40. www.isecpartners.com
iSCSI Petty Problems
• Microsoft iSCSI Client
– Driver logs iSCSI secrets (passwords) that don’t conform to the correct size
in the clear in the Event Viewer
44. www.isecpartners.com
iSCSI Defenses
• How to defend against these threats?
– CONFIGURATION, CONFIGURATION, CONFIGURATION
– Every iSCSI device should be secured just like an other operating system or
application
• Pay no attention to the man behind the curtain!
– Audit your iSCSI storage devices/networks and assess the risk!
• STORAGE need your security loving too!!!
– iSCSI storage devices, which hold your DATA, are similar to everything else
on the network….
• Vulnerable to attacks
• Security holes and weaknesses
• Need to be protected and secured
45. www.isecpartners.com
iSCSI Defenses
Top 10 iSCSI Security Recommendations
• Specific configurations
1. Enable Mutual Authentication
• Do not rely solely CHAP Auth
2. Create Multiple Discover Domains
• Only use the Default Domain Sets for random registrations
3. Enable CRC checksums for integrity checking
4. Require iSNS IPSec (where possible)
5. Do not only rely on iQNs for security authorization values
6. Enable iSCSI IPSec (where possible)
• Vendors!
7. Incorporate Kerberos
8. Enable authentication by default
9. Support iSNS authenticated heartbeats before registrations
10. Support iSNS security features in the RFC
46. www.isecpartners.com
Questions
Himanshu Dwivedi
Himanshu Dwivedi
•
• hdwivedi@isecpartners.com
hdwivedi@isecpartners.com or
or hdwivedi@lokmail.com
hdwivedi@lokmail.com
Security Books Authored by presenter:
Security Books Authored by presenter:
•
• Securing Storage
Securing Storage
•
•Publish date: Fall 2005
Publish date: Fall 2005